On 11/8/05 7:50 PM, Tony Di Croce wrote:
I have a server with a few virtual hosts. All of my scripts use "session_start()", and $_SESSION[] to share data between invocations of different scripts. The problem I'm having is that if a form on site A submits to a script on site B the values stashed in $_SESSION[] appear to be lost... Should this work? If not, then what alternatives exist? I suppose I could pass the session id as a POST argument to the site B script (and theirs probably a method in PHP that given a session_id() makes available all of that sessions $_SESSION[] variables) but is that the best way?
This won't work due to obvious security reasons. A session cannot be shared across two domains, nor can cookies (though cookies can be shared across subdomains of the same domain).
I think the approach here will need to err on the site of caution. You don't want to pass the session identifier through the URL (or POST) too much because it risks exposure and the possibility for session hijacking, though it should be possible to do this and grab the session information for the session id from the directory where sessions are stored (often times this is in /tmp). I would advise against this for reasons I've already mentioned.
Instead, as I said, err on the side of caution here by annoying your users just a little bit. Here's what I mean: the multiple virtual hosts can share the same authentication/user profile database. Thus, users can log into each individual host and access the same profile. So, you'll need to authenticate the user when they visit a new host. This may be a decrease in usability, but it's an increase in security.
For more information about sessions, read the manual: http://www.php.net/session
-- Ben Ramsey http://benramsey.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
